[SOLVED] WAF not being attached to a Cloudfront due to issue in scope in Terraform

WAF not being attached to a Cloudfront due to issue in scope in Terraform

I'm defining a Cloudfront with a WAF using Terraform. The relevant parts of my code are:

resource "aws_cloudfront_distribution" "cloudfront" {
    origin {
        origin_id   = "originid"
        domain_name = "bucketname.s3.bucketregion.amazonaws.com"
        origin_path = ""
        connection_attempts = 3
        connection_timeout =  10
        origin_access_control_id = "oacid"
    }

    enabled             = true
    is_ipv6_enabled     = true
    comment             = "CloudFront Distribution"

    default_cache_behavior {
        allowed_methods  = ["HEAD", "GET", "OPTIONS"]
        cached_methods   = ["HEAD", "GET", "OPTIONS"]
        target_origin_id = "target"
        compress         = true
        forwarded_values {
            query_string = false

            cookies {
                forward = "none"
            }
        }

        viewer_protocol_policy = "allow-all"
        min_ttl                = 0
        default_ttl            = 3600
        max_ttl                = 86400
    }



    price_class = "PriceClass_100"

    restrictions {
        geo_restriction {
            restriction_type = "none"
        }
    }

    viewer_certificate {
        cloudfront_default_certificate = true
        ssl_support_method = "vip"
        minimum_protocol_version = "TLSv1"
    }

    http_version = "http2and3"
    web_acl_id = aws_wafv2_web_acl.example.arn
}

for the CloudFront

and

resource "aws_wafv2_web_acl" "example" {
  name        = "example-waf"
  description = "Example WAF for protecting web applications"
  scope       = "CLOUDFRONT"

  default_action {
    allow {}
  }

  rule {
    name     = "AWS-AWSManagedRulesCommonRuleSet"
    priority = 1
    override_action {
      none {}
    }
    statement {
      managed_rule_group_statement {
        vendor_name = "AWS"
        name        = "AWSManagedRulesCommonRuleSet"
      }
    }
    visibility_config {
      sampled_requests_enabled    = true
      cloudwatch_metrics_enabled  = true
      metric_name                 = "AWSManagedRulesCommonRuleSet"
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled  = true
    metric_name                 = "example-waf"
    sampled_requests_enabled    = true
  }

}

I'm getting the following error

Error: creating WAFv2 WebACL (example-waf): operation error WAFV2: CreateWebACL, https response error StatusCode: 400, RequestID: aaead2e1-6d60-4943-9ef7-f5d7bfc54a78, WAFInvalidParameterException: Error reason: The scope is not valid., field: SCOPE_VALUE, parameter: CLOUDFRONT

However, if I try to use something different than CLOUDFRONT, it also tells me that I need to use CLOUDFRONT. I can confirm that the cloudfront resource works correctly alone (when the line web_acl_id = aws_wafv2_web_acl.example.arn is removed) but I can't confirm anything about the waf, I've never been able to use it What am I doing wrong?

Solution

The answer, as suggested by @caldazar was to define a provider in the scope, in this case adding the region, that was missing. Follow Getting error as "The scope is not valid., field: SCOPE_VALUE, parameter: CLOUDFRONT", in terraform to get more details about the solution